mcporter
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses
npx mcporterornpm install -g mcporterto download and run the CLI utility from the npm registry. - [COMMAND_EXECUTION]: The
mcportertool can execute arbitrary shell commands via the--stdioflag to start local MCP servers, which is a fundamental feature of the Model Context Protocol. - [REMOTE_CODE_EXECUTION]: The skill includes code generation features (
generate-cliandemit-ts) that create new executable scripts or TypeScript files based on remote server schemas. - [PROMPT_INJECTION]: The skill serves as an interface for external MCP servers, creating an attack surface for indirect prompt injection where untrusted data could influence agent behavior.
- Ingestion points: Tool outputs and server definitions fetched via
mcporter callormcporter list --schema. - Boundary markers: None described in the prompt instructions.
- Capability inventory: Includes shell command execution (
--stdio), network requests, and code generation. - Sanitization: No evidence of output filtering or sanitization is provided in the documentation.
Audit Metadata